police as a module

Signed-off-by: junior <[email protected]>

modules/oke-node-pool/providers.tf → modules/oke-node-pool/versions.tf

@@ -7,7 +7,7 @@ terraform {
   required_providers {
     oci = {
       source  = "oracle/oci"
-      version = "~> 4"
+      version = "~> 4, < 5"
       # https://registry.terraform.io/providers/oracle/oci/
     }
     local = {

modules/oke/main.tf

@@ -8,8 +8,9 @@ resource "oci_containerengine_cluster" "oke_cluster" {
   name               = "${local.app_name} (${local.deploy_id})"
   vcn_id             = var.vcn_id
   kms_key_id         = var.oci_vault_key_id_oke_secrets != "" ? var.oci_vault_key_id_oke_secrets : null
-  freeform_tags      = var.cluster_tags.freeformTags
-  defined_tags       = var.cluster_tags.definedTags
+  # type               = var.cluster_type
+  freeform_tags = var.cluster_tags.freeformTags
+  defined_tags  = var.cluster_tags.definedTags
 
   endpoint_config {
     is_public_ip_enabled = (var.cluster_endpoint_visibility == "Private") ? false : true

modules/oke/variables.tf

@@ -92,22 +92,22 @@ variable "k8s_version" {
 }
 
 # Create Dynamic Group and Policies
-variable "create_dynamic_group_for_nodes_in_compartment" {
-  default     = false # TODO: true 
-  description = "Creates dynamic group of Nodes in the compartment. Note: You need to have proper rights on the Tenancy. If you only have rights in a compartment, uncheck and ask you administrator to create the Dynamic Group for you"
-}
-variable "existent_dynamic_group_for_nodes_in_compartment" {
-  default     = ""
-  description = "Enter previous created Dynamic Group for the policies"
-}
-variable "create_compartment_policies" {
-  default     = false # TODO: true 
-  description = "Creates policies that will reside on the compartment. e.g.: Policies to support Cluster Autoscaler, OCI Logging datasource on Grafana"
-}
-variable "create_tenancy_policies" {
-  default     = false # TODO: true 
-  description = "Creates policies that need to reside on the tenancy. e.g.: Policies to support OCI Metrics datasource on Grafana"
-}
+# variable "create_dynamic_group_for_nodes_in_compartment" {
+#   default     = false # TODO: true 
+#   description = "Creates dynamic group of Nodes in the compartment. Note: You need to have proper rights on the Tenancy. If you only have rights in a compartment, uncheck and ask you administrator to create the Dynamic Group for you"
+# }
+# variable "existent_dynamic_group_for_nodes_in_compartment" {
+#   default     = ""
+#   description = "Enter previous created Dynamic Group for the policies"
+# }
+# variable "create_compartment_policies" {
+#   default     = false # TODO: true 
+#   description = "Creates policies that will reside on the compartment. e.g.: Policies to support Cluster Autoscaler, OCI Logging datasource on Grafana"
+# }
+# variable "create_tenancy_policies" {
+#   default     = false # TODO: true 
+#   description = "Creates policies that need to reside on the tenancy. e.g.: Policies to support OCI Metrics datasource on Grafana"
+# }
 
 # ORM Schema visual control variables
 variable "show_advanced" {

modules/oke/versions.tf

@@ -0,0 +1,19 @@
+# Copyright (c) 2023, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl.
+#
+
+terraform {
+  required_version = ">= 1.1"
+  required_providers {
+    oci = {
+      source  = "oracle/oci"
+      version = "~> 4, < 5"
+      # https://registry.terraform.io/providers/oracle/oci/
+    }
+    local = {
+      source  = "hashicorp/local"
+      version = "~> 2"
+      # https://registry.terraform.io/providers/hashicorp/local/
+    }
+  }
+}

policies.tf

@@ -0,0 +1,62 @@
+# Copyright (c) 2023, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl.
+#
+
+module "cluster-dynamic-group" {
+  source = "./modules/oci-policies"
+
+  providers = {
+    oci             = oci
+    oci.home_region = oci.home_region
+  }
+
+  # Oracle Cloud Infrastructure Tenancy
+  tenancy_ocid = var.tenancy_ocid
+
+  # Deployment Tags + Freeform Tags + Defined Tags
+  oci_tag_values = local.oci_tag_values
+
+  create_dynamic_group = true
+  dynamic_group_name   = "OKE Cluster Nodes"
+  dynamic_group_matching_rules = [
+    "ALL {instance.compartment.id = '${local.oke_compartment_ocid}'}",
+    "ALL {resource.type = 'cluster', resource.compartment.id = '${local.oke_compartment_ocid}'}"
+  ]
+
+  count = var.create_dynamic_group_for_nodes_in_compartment ? 1 : 0
+}
+
+module "cluster-compartment-policies" {
+  source = "./modules/oci-policies"
+
+  providers = {
+    oci             = oci
+    oci.home_region = oci.home_region
+  }
+
+  # Oracle Cloud Infrastructure Tenancy and Compartment OCID
+  tenancy_ocid     = var.tenancy_ocid
+  compartment_ocid = local.oke_compartment_ocid
+
+  oci_tag_values = local.oci_tag_values
+
+  create_policy = true
+  policy_name   = "OKE Cluster Compartment Policies"
+  policy_statements = [
+    "Allow dynamic-group ${local.dynamic_group_name} to manage cluster-node-pools in compartment id ${local.oke_compartment_ocid}",
+    "Allow dynamic-group ${local.dynamic_group_name} to manage instance-family in compartment id ${local.oke_compartment_ocid}",
+    "Allow dynamic-group ${local.dynamic_group_name} to use subnets in compartment id ${local.oke_compartment_ocid}",
+    "Allow dynamic-group ${local.dynamic_group_name} to read virtual-network-family in compartment id ${local.oke_compartment_ocid}",
+    "Allow dynamic-group ${local.dynamic_group_name} to use vnics in compartment id ${local.oke_compartment_ocid}",
+    "Allow dynamic-group ${local.dynamic_group_name} to inspect compartments in compartment id ${local.oke_compartment_ocid}",
+    "Allow dynamic-group ${local.dynamic_group_name} to use network-security-groups in compartment id ${local.oke_compartment_ocid}",
+    "Allow dynamic-group ${local.dynamic_group_name} to use private-ips in compartment id ${local.oke_compartment_ocid}",
+    "Allow dynamic-group ${local.dynamic_group_name} to manage public-ips in compartment id ${local.oke_compartment_ocid}"
+  ]
+
+  count = var.create_compartment_policies ? 1 : 0
+}
+
+locals {
+  dynamic_group_name = var.create_dynamic_group_for_nodes_in_compartment ? module.cluster-dynamic-group.0.dynamic_group_name : var.existent_dynamic_group_for_nodes_in_compartment
+}

providers.tf → providers.tf.example

@@ -1,43 +1,6 @@
-# Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2023, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl.
-# 
-
-terraform {
-  required_version = ">= 1.1"
-  required_providers {
-    oci = {
-      source  = "oracle/oci"
-      version = "~> 4, < 5"
-      # https://registry.terraform.io/providers/oracle/oci/
-      configuration_aliases = [oci.home_region, oci.current_region]
-    }
-    kubernetes = {
-      source  = "hashicorp/kubernetes"
-      version = "~> 2"
-      # https://registry.terraform.io/providers/hashicorp/kubernetes/
-    }
-    helm = {
-      source  = "hashicorp/helm"
-      version = "~> 2"
-      # https://registry.terraform.io/providers/hashicorp/helm/
-    }
-    tls = {
-      source  = "hashicorp/tls"
-      version = "~> 4"
-      # https://registry.terraform.io/providers/hashicorp/tls/
-    }
-    local = {
-      source  = "hashicorp/local"
-      version = "~> 2"
-      # https://registry.terraform.io/providers/hashicorp/local/
-    }
-    random = {
-      source  = "hashicorp/random"
-      version = "~> 3"
-      # https://registry.terraform.io/providers/hashicorp/random/
-    }
-  }
-}
+#
 
 provider "oci" {
   tenancy_ocid = var.tenancy_ocid
@@ -54,15 +17,15 @@ provider "oci" {
   private_key_path = var.private_key_path
 }
 
-provider "oci" {
-  alias        = "current_region"
-  tenancy_ocid = var.tenancy_ocid
-  region       = var.region
+# provider "oci" {
+#   alias        = "current_region"
+#   tenancy_ocid = var.tenancy_ocid
+#   region       = var.region
 
-  user_ocid        = var.user_ocid
-  fingerprint      = var.fingerprint
-  private_key_path = var.private_key_path
-}
+#   user_ocid        = var.user_ocid
+#   fingerprint      = var.fingerprint
+#   private_key_path = var.private_key_path
+# }
 
 # New configuration to avoid Terraform Kubernetes provider interpolation. https://registry.terraform.io/providers/hashicorp/kubernetes/2.2.0/docs#stacking-with-managed-kubernetes-cluster-resources
 # Currently need to uncheck to refresh (--refresh=false) when destroying or else the terraform destroy will fail
@@ -102,3 +65,15 @@ locals {
   cluster_id                = yamldecode(module.oke.kubeconfig)["users"][0]["user"]["exec"]["args"][4]
   cluster_region            = yamldecode(module.oke.kubeconfig)["users"][0]["user"]["exec"]["args"][6]
 }
+
+# Gets home and current regions
+data "oci_identity_tenancy" "tenant_details" {
+  tenancy_id = var.tenancy_ocid
+}
+
+data "oci_identity_regions" "home_region" {
+  filter {
+    name   = "key"
+    values = [data.oci_identity_tenancy.tenant_details.home_region_key]
+  }
+}